I tried to crack snpslmd on Solaris using SDK v6.1 and adb.
snpslmd implemented user crypt filter, so Nolan Blender's latest essay is a big help in this.
After two-day work, I go xor values and permutation table. (of course, lm_code.h is ready).
But lmcrypt I built just don't generate correct key.
I modified lm_code.h, lmkeyfil.c, lmappfil.c and all mentioned in NB's essay.
So help!!!
If it helps, I could post all info I got (xor/table/seeds).
Or someone out there who already have experience for snpslmd could help to check my extracted info?
Maybe I missed something tricky?
Anyway, thanks in advanced.

----
netman

Post what you got so far and I'll have a look.

--nb.

Does anyone know a good place to store temporary files?

I have the 6.1 Solaris FLEXlm SDK here, and there's
enough people interested that it would be nice
if it was available.

thanks, NB!!!!
...
code:
.
.
.
VENDOR_KEY4 0xdf0ab4f1
VENDOR_KEY5 0x74f2127a
...
XOR:
0x3c, 0x31, 0x20, 0x2a,
.
.
.
0x38, 0x22, 0x21, 0x37
...
table:
{5,0,1,7,6,3,4,2}, /* idx 00 */
.
.
.
{3,6,4,2,0,7,1,5}, /* idx 15 */
.
.
.
{7,5,4,1,2,6,3,0}, /* idx 19 */

---
netman

The tables you have for the user filter is OK,
but the encryption seeds that you have are incorrect.

11d215b5 7d9256dd are the values that I got.

NB, big thanks for your help.
lmcrypt works now.
I will check my seeds more carefully. Thanks again...

[NOTE: I removed some info from my previous post. It contained all info to easy crack snpslmd. Need any help just mail me. ]

You're welcome.

FYI, arguments in slowlaris are passed in registers, so you have to set the register
corrseponding to the leftmost argument to zero
in order to get a null pointer passed in as the job ptr.

This also doesn't work on 7.2 and later versions.

Sorry, I am mistake!!

How can get correct seed in flexlm 7.1 or higher!
I have read the lm_new.c file of v6.1 and v7.2a:

In v6.1, if the job is null, the set the memery zero, so I can get the correct seeds
if (job)
{
.
.
.
}
else
{
memset(t2.a, 0, sizeof(t2.a));
}

But in v7.2a, if the job is null, it return directly, so I can't get the correct seeds:

if (job)
{
.
.
.
}
else
{
return;
}

Thanks for any help!!!

In order to get the seeds out with later
versions, you have to recombine information
from the job structure and the vendorcode
structure.

As it turns out, the algorithms used to distribute the data between the
VENDORCODE and the job structures are quite simple and based only on the first
character of the vendorname. Since lm_new.c is generated by lmrand2, it is
possible to totally reverse engineer how the seeds are extracted, then write a
program to recombine the data from the job structure and the vendorcode
structure, and recover the seeds this way. The essay nol_flex.htm contains a
detailed description of this.

Thanks Nblender.
Is this essay's title "Information Hiding Methods used by FlexLM Targets
An Explanation of the FlexLM Seed Hiding System" ?

dear netman and nblender,
Can you mail me permutation table of snpslmd ,I also want to try it and study it. Thank you

I sent you the first 4 entries of the xortable and the permutation
table. This is enough to get you started, but I don't think it is
appropriate for me to send you a full solution.

--nb